DNS hijacking – where a device reroutes your messages or takes you to a completely new and fake destination may seem like the stuff of dreams. After all, one might somehow expect that this conversion of website addresses into a numerical code is automatic and beyond manipulation – but it’s not.
What is DNS
Domain Name System (DNS) is often called the phonebook or the librarian of the Internet. When you type in an address, for example techradar.com, this is translated into an Internet Protocol address. It’s like a librarian telling you the shelf number and the Dewey Decimal Number of that nonfiction book you are looking for. Without this system in place, you would need to write in the precise IP address yourself. That would be difficult enough with IP addresses with the IPv4 protocol and an impossibility with alphanumeric IP addresses derived with the newer IPv6 protocol.
While a phone book usually has just one number per house, DNS puts several librarians at your service. They include the DNS recurser which looks for a specific book in a library, the Root nameserver which can point you to the right shelf, the top-level-domain server which would divide requests by location in the library such as .com or org. and authoritive nameserver for that definitive last word on that desired location. These four work together in an organised, systematic search to give you the desired information. To make it even more simple, your device is usually using the DNS settings provided by your internet provider or has been setup to use the one from Google.
More than one type of DNS attack
A DNS hijacking is when this system is manipulated to send you to a different location – or to send you on a circuitous route to said destination. And as shown by the long chain of DNS librarians at work, there are a number of places where the system can be attacked.
DNS hijacking has typically been done at two levels – first, manipulating the DNS system within an end user’s device or router and secondly by modifying a specific DNS server within the system.
The third type of DNS hijacking is with a Miria-type army of hacked smart devices. In this case, the devices send a barrage of requests to the targeted server, knocking the overloaded server offline. While not the traditional DNS hijacking, it shows how a misused address can be dangerous.
Your device has been routed
DNSCHanger is the traditional poster child for the first example of a DNS hijacking. Developed in Estonian, this malware took over the DNS settings of infected computers and redirected users to its own servers. Victims had a battery of suspect advertising streamed to their devices. The malware is estimated to have infected four million devices and garnered the developers around $14 million of fraudulent advertising money before its takedown in 2012.
More recently, DNS hijacking has moved to the router level. With this type of attack, the malware is typically distributed via an infected website. Once the victim visits the site, they are redirected to a landing page which often opens up as a new window or tab. Technically, this is called a cross-site forgery. On a practical level, the attack on the router can start without the victim’s further involvement.
Thanks to this ability to redirect the infected device to a destination of their choice, cybercriminals have a variety of monetisation options. Some of the most common options include pushing suspect ads to devices on the network, sending the device to phishing sites mimicking those from banks or Netflix in the hopes of getting financial data, or by installing crypto mining scripts on the device.
The DNS system has just been hacked
It’s not just the endpoint device – or that home router – which is vulnerable. By hijacking DNS servers themselves, hackers have been able to steal email and other login credentials and using this information to redirect email and VPN traffic to an IP address that they controlled. The DNSpionage campaign used malicious websites with job postings as the lure, with victims downloading Microsoft Office documents with embedded macros.
The hackers have used a classic Man-in-the-middle approach to collect SSL encryption certificates for targeted domains which also allowed them to then decrypt the intercepted email and also the VPN-protected traffic.
These manipulations of the DNS system are believed to be state sponsored cyber-espionage. The attacks in 2018 and 2019 largely targeted government, military, and energy-focused organisations in the Middle East and North Africa. In a look ahead at the future, hacked organisations also included a domain name registry organisation.
How to keep your device and router safe from a DNS hijacking?
The strategies and action steps needed to secure one’s network and devices from a DNS attack differ for the typical end user and those of a larger organisation. For the typical end user, defending against a DNS hijacking is largely an issue of good operational hygiene.
Check that router – Check your router to see if the router is running an up-to-date version of software.
Control those passwords – Are you using the default passwords which came with the device and are those credentials protected with a strong password?
Look for the lock – Look for the padlock in the browser URL bar. While cybercriminals do use HTTPS on occasion, the absence of the HTTPS logo should be a direct warning that a phishing attempt is underway.
Alexander Vukcevic, Director, Protection Labs & QA